On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote:

________________________________

From: "Dmitri Pal" <d...@redhat.com>
To: freeipa-users@redhat.com
Sent: Thursday, 25 July, 2013 11:35:32 PM
Subject: Re: [Freeipa-users] still failing to get a RHEL 5 client to join, LDAP 
bind issue?

On 07/25/2013 03:51 PM, Armstrong, Kenneth Lawrence wrote:
I am still having issues trying to get a RHEL 5.9 client to join a RHEL 6.4 IdM 
domain.

All packages on both systems updated.

First problem is this:

ipa-client-install --server lnxrealmtest01.liberty.edu --domain 
lnxrealmtest.liberty.edu --enable-dns-updates

Which fails with:

root        : ERROR    Cannot obtain CA certificate
'ldap://lnxrealmtest01.liberty.edu' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

All of the appropriate ports are open on the IdM server, and I verified this by 
telnetting to all of them.

I worked around this by running this:

wget -O /etc/ipa/ca.crt http://lnxrealmtest01.liberty.edu/ipa/config/ca.crt

Then ran:

ipa-client-install --server lnxrealmtest01.lnxrealmtest.liberty.edu --domain 
lnxrealmtest.liberty.edu --enable-dns-updates --no-ntp 
--ca-cert-file=/etc/ipa/ca.crt

And I was having better results, so apparently the RHEL 5.9 ipa-client-install 
does not want to download my cert.

This rings the bell. It sounds like a known issue for 5.9 openssl libraries.
Rob can you add details please?



On to the next problem:


User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for 
ad...@lnxrealmtest.liberty.edu<mailto:ad...@lnxrealmtest.liberty.edu>:

Joining realm failed: SASL Bind failed Local error (-2) !
child exited with 9
Installation failed. Rolling back changes.


Run ipa-client-install with "-d" debug flag to get more information. I've had 
the same issue due to DNS reverse for the server not being correct (check the 
krb log in the server)


It is the same user that I use to login to the web interface, and I am 100% 
positive that I am not entering the password incorrectly.  So why else would 
the admin user not be able to bind to my IdM setup?

-Kenny



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users





--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Eduardo Mínguez Pérez
Infrastructure Consultant (RHCE, RHCSA)
Red Hat - Spain
Mobile: +34 629803049 (CET/CEST)
E-mail: eming...@redhat.com




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


Ok, if I have time, I'll try with a RHEL 5.8 client today.


As for debug output, this is what I get:

[root@r5-idmclient<mailto:root@r5-idmclient> ~]# ipa-client-install --server 
lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu 
--enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d
root        : DEBUG    /usr/sbin/ipa-client-install was invoked with options: 
{'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu', 'uninstall': False, 
'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 
'permit': False, 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': 
False, 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, 
'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt', 
'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal': None}
root        : DEBUG    missing options might be asked for interactively later

root        : DEBUG    Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root        : DEBUG    Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state'
root        : DEBUG    [ipadnssearchkrb]
root        : DEBUG    [ipacheckldap]
root        : DEBUG    Init ldap with: ldap://lnxrealmtest01.liberty.edu:389
root        : ERROR    LDAP Error: Connect error: TLS: hostname does not match 
CN in peer certificate
root        : DEBUG    will use domain: lnxrealmtest.liberty.edu

root        : DEBUG    will use server: lnxrealmtest01.liberty.edu

Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
Installation failed. Rolling back changes.
IPA client is not configured on this system.


I do have an A record and PTR record for both lnxrealmtest01.liberty.edu and 
lnxrealmtest.lnxrealmtest.liberty.edu.

The part that confuses me (I'm still new to the innards of SSL) is this:

DAP Error: Connect error: TLS: hostname does not match CN in peer certificate

When I look at the cert using:

openssl x509 -in /etc/ipa/ca.crt -noout -text

I see this:

Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
        Validity
            Not Before: Jul 25 18:22:53 2013 GMT
            Not After : Jul 25 18:22:53 2033 GMT
        Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority


and ...

OCSP - URI:http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp


So is it trying to use CN=Certificate Authority when it's expecting the host 
name of the IPA server?

-Kenny
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to